This is an archive of the discontinued LLVM Phabricator instance.

Differential D153471

[lsan][Darwin] Unconditionally strip high bits from potential pointers
ClosedPublic

Authored by lgrey on Jun 21 2023, 2:36 PM.

Details

Reviewers
yln
usaari01
rsundahl
thetruestblue
Commits
rGac604cc310b7: [lsan][Darwin] Unconditionally strip high bits from potential pointers
Summary

The method cache stashes a mask in the high bits under some circumstances:
https://github.com/apple-oss-distributions/objc4/blob/689525d556eb3dee1ffb700423bccf5ecc501dbf/runtime/objc-cache.mm#L589

I'm hitting this now on macOS 13.4 arm64, so we can no longer rely on OBJC_DATA_MASK to identify potential pointers that need to be transformed

Diff Detail

Event Timeline

lgrey created this revision.Jun 21 2023, 2:36 PM
Herald added a project: Restricted Project. · View Herald TranscriptJun 21 2023, 2:36 PM
Herald added subscribers: Enna1, kristof.beyls. · View Herald Transcript
lgrey requested review of this revision.Jun 21 2023, 2:36 PM
Herald added a project: Restricted Project. · View Herald TranscriptJun 21 2023, 2:36 PM
Herald added a subscriber: Restricted Project. · View Herald Transcript
Harbormaster completed remote builds in B240357: Diff 533404.Jun 21 2023, 2:56 PM
yln added a comment.Jun 30 2023, 9:11 AM

Hi Leonard, thanks for this fix!

LGTM, with one nit: can you update the function name and comments to reflect the new behavior?

compiler-rt/lib/lsan/lsan_common.cpp
173–178
lgrey updated this revision to Diff 537469.Jul 5 2023, 12:58 PM

Update function name and comment

lgrey marked an inline comment as done.Jul 5 2023, 12:59 PM
lgrey added inline comments.
compiler-rt/lib/lsan/lsan_common.cpp
173–178

Done (but worded differently since it's not just class pointers)

Harbormaster completed remote builds in B243290: Diff 537469.Jul 5 2023, 1:22 PM
yln accepted this revision.Jul 12 2023, 7:11 PM
yln added reviewers: usaari01, rsundahl, thetruestblue.
This revision is now accepted and ready to land.Jul 12 2023, 7:11 PM
This revision was landed with ongoing or failed builds.Jul 17 2023, 12:19 PM
Closed by commit rGac604cc310b7: [lsan][Darwin] Unconditionally strip high bits from potential pointers (authored by lgrey). · Explain Why
This revision was automatically updated to reflect the committed changes.
lgrey marked an inline comment as done.
lgrey added a commit: rGac604cc310b7: [lsan][Darwin] Unconditionally strip high bits from potential pointers.

Revision Contents

PathSize
compiler-rt/
lib/
lsan/
14 lines

Diff 541181

compiler-rt/lib/lsan/lsan_common.cpp

Show All 28 Lines
# if SANITIZER_APPLE # if SANITIZER_APPLE
// https://github.com/apple-oss-distributions/objc4/blob/8701d5672d3fd3cd817aeb84db1077aafe1a1604/runtime/objc-runtime-new.h#L127 // https://github.com/apple-oss-distributions/objc4/blob/8701d5672d3fd3cd817aeb84db1077aafe1a1604/runtime/objc-runtime-new.h#L127
# if SANITIZER_IOS && !SANITIZER_IOSSIM # if SANITIZER_IOS && !SANITIZER_IOSSIM
# define OBJC_DATA_MASK 0x0000007ffffffff8UL # define OBJC_DATA_MASK 0x0000007ffffffff8UL
# else # else
# define OBJC_DATA_MASK 0x00007ffffffffff8UL # define OBJC_DATA_MASK 0x00007ffffffffff8UL
# endif # endif
// https://github.com/apple-oss-distributions/objc4/blob/8701d5672d3fd3cd817aeb84db1077aafe1a1604/runtime/objc-runtime-new.h#L139
# define OBJC_FAST_IS_RW 0x8000000000000000UL
# endif # endif
namespace __lsan { namespace __lsan {
// This mutex is used to prevent races between DoLeakCheck and IgnoreObject, and // This mutex is used to prevent races between DoLeakCheck and IgnoreObject, and
// also to protect the global list of root regions. // also to protect the global list of root regions.
static Mutex global_mutex; static Mutex global_mutex;
▲ Show 20 LinesShow All 120 Lines▼ Show 20 Lines
static uptr GetCallerPC(const StackTrace &stack) { static uptr GetCallerPC(const StackTrace &stack) {
// The top frame is our malloc/calloc/etc. The next frame is the caller. // The top frame is our malloc/calloc/etc. The next frame is the caller.
if (stack.size >= 2) if (stack.size >= 2)
return stack.trace[1]; return stack.trace[1];
return 0; return 0;
} }
# if SANITIZER_APPLE # if SANITIZER_APPLE
// Objective-C class data pointers are stored with flags in the low bits, so // Several pointers in the Objective-C runtime (method cache and class_rw_t,
// they need to be transformed back into something that looks like a pointer. // for example) are tagged with additional bits we need to strip.
static inline void *MaybeTransformPointer(void *p) { static inline void *TransformPointer(void *p) {
uptr ptr = reinterpret_cast<uptr>(p); uptr ptr = reinterpret_cast<uptr>(p);
if ((ptr & OBJC_FAST_IS_RW) == OBJC_FAST_IS_RW) return reinterpret_cast<void *>(ptr & OBJC_DATA_MASK);
ylnUnsubmitted
Done
ReplyInline Actions
# if SANITIZER_APPLE
- // Objective-C class data pointers are stored with flags in the low bits, so
- // they need to be transformed back into something that looks like a pointer.
- static inline void *MaybeTransformPointer(void *p) {
+ // Objective-C class pointers are tagged with additional bits that we need to strip.
+ static inline void *StripObjcClassPtr(void *p) {
uptr ptr = reinterpret_cast<uptr>(p);
return reinterpret_cast<void *>(ptr & OBJC_DATA_MASK);
}
# endif
yln:
lgreyAuthorUnsubmitted
Done
ReplyInline Actions

Done (but worded differently since it's not just class pointers)

lgrey: Done (but worded differently since it's not just class pointers)
ptr &= OBJC_DATA_MASK;
return reinterpret_cast<void *>(ptr);
} }
# endif # endif
// On Linux, treats all chunks allocated from ld-linux.so as reachable, which // On Linux, treats all chunks allocated from ld-linux.so as reachable, which
// covers dynamically allocated TLS blocks, internal dynamic loader's loaded // covers dynamically allocated TLS blocks, internal dynamic loader's loaded
// modules accounting etc. // modules accounting etc.
// Dynamic TLS blocks contain the TLS variables of dynamically loaded modules. // Dynamic TLS blocks contain the TLS variables of dynamically loaded modules.
// They are allocated with a __libc_memalign() call in allocate_and_init() // They are allocated with a __libc_memalign() call in allocate_and_init()
▲ Show 20 LinesShow All 105 Lines▼ Show 20 Linesvoid ScanRangeForPointers(uptr begin, uptr end, Frontier *frontier,
LOG_POINTERS("Scanning %s range %p-%p.\n", region_type, (void *)begin, LOG_POINTERS("Scanning %s range %p-%p.\n", region_type, (void *)begin,
(void *)end); (void *)end);
uptr pp = begin; uptr pp = begin;
if (pp % alignment) if (pp % alignment)
pp = pp + alignment - pp % alignment; pp = pp + alignment - pp % alignment;
for (; pp + sizeof(void *) <= end; pp += alignment) { for (; pp + sizeof(void *) <= end; pp += alignment) {
void *p = *reinterpret_cast<void **>(pp); void *p = *reinterpret_cast<void **>(pp);
# if SANITIZER_APPLE # if SANITIZER_APPLE
p = MaybeTransformPointer(p); p = TransformPointer(p);
# endif # endif
if (!MaybeUserPointer(reinterpret_cast<uptr>(p))) if (!MaybeUserPointer(reinterpret_cast<uptr>(p)))
continue; continue;
uptr chunk = PointsIntoChunk(p); uptr chunk = PointsIntoChunk(p);
if (!chunk) if (!chunk)
continue; continue;
// Pointers to self don't count. This matters when tag == kIndirectlyLeaked. // Pointers to self don't count. This matters when tag == kIndirectlyLeaked.
if (chunk == begin) if (chunk == begin)
▲ Show 20 LinesShow All 790 LinesShow Last 20 Lines